[v2,0/6] Fixes multiple sysctl bound checks

Message ID	20250224095826.16458-1-nicolas.bouchinet@clip-os.org (mailing list archive)
Headers	show Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B1C3C24C67F; Mon, 24 Feb 2025 09:58:57 +0000 (UTC) From: nicolas.bouchinet@clip-os.org To: linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, codalist@coda.cs.cmu.edu, linux-nfs@vger.kernel.org Cc: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>, Joel Granados <j.granados@samsung.com>, Clemens Ladisch <clemens@ladisch.de>, Arnd Bergmann <arnd@arndb.de>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Jason Gunthorpe <jgg@ziepe.ca>, Leon Romanovsky <leon@kernel.org>, "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, Jan Harkes <jaharkes@cs.cmu.edu>, Chuck Lever <chuck.lever@oracle.com>, Jeff Layton <jlayton@kernel.org>, Neil Brown <neilb@suse.de>, Olga Kornievskaia <okorniev@redhat.com>, Dai Ngo <Dai.Ngo@oracle.com>, Tom Talpey <tom@talpey.com>, Trond Myklebust <trondmy@kernel.org>, Anna Schumaker <anna@kernel.org>, Bart Van Assche <bvanassche@acm.org>, Zhu Yanjun <yanjun.zhu@linux.dev>, Al Viro <viro@zeniv.linux.org.uk>, Christian Brauner <brauner@kernel.org> Subject: [PATCH v2 0/6] Fixes multiple sysctl bound checks Date: Mon, 24 Feb 2025 10:58:15 +0100 Message-ID: <20250224095826.16458-1-nicolas.bouchinet@clip-os.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fixes multiple sysctl bound checks \| expand [v2,0/6] Fixes multiple sysctl bound checks [v2,1/6] sysctl: Fixes idmap_cache_timeout bounds [v2,2/6] sysctl: Fixes nsm_local_state bounds [v2,3/6] sysctl/coda: Fixes timeout bounds [v2,4/6] sysctl: Fixes scsi_logging_level bounds [v2,5/6] sysctl/infiniband: Fixes infiniband sysctl bounds [v2,6/6] sysctl: Fixes max-user-freq bounds

Message ID

20250224095826.16458-1-nicolas.bouchinet@clip-os.org (mailing list archive)

Headers

From: nicolas.bouchinet@clip-os.org
To: linux-kernel@vger.kernel.org,
	linux-rdma@vger.kernel.org,
	linux-scsi@vger.kernel.org,
	codalist@coda.cs.cmu.edu,
	linux-nfs@vger.kernel.org
Cc: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>,
	Joel Granados <j.granados@samsung.com>,
	Clemens Ladisch <clemens@ladisch.de>,
	Arnd Bergmann <arnd@arndb.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Jason Gunthorpe <jgg@ziepe.ca>,
	Leon Romanovsky <leon@kernel.org>,
	"James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	Jan Harkes <jaharkes@cs.cmu.edu>,
	Chuck Lever <chuck.lever@oracle.com>,
	Jeff Layton <jlayton@kernel.org>,
	Neil Brown <neilb@suse.de>,
	Olga Kornievskaia <okorniev@redhat.com>,
	Dai Ngo <Dai.Ngo@oracle.com>,
	Tom Talpey <tom@talpey.com>,
	Trond Myklebust <trondmy@kernel.org>,
	Anna Schumaker <anna@kernel.org>,
	Bart Van Assche <bvanassche@acm.org>,
	Zhu Yanjun <yanjun.zhu@linux.dev>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>
Subject: [PATCH v2 0/6] Fixes multiple sysctl bound checks
Date: Mon, 24 Feb 2025 10:58:15 +0100
Message-ID: <20250224095826.16458-1-nicolas.bouchinet@clip-os.org>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fixes multiple sysctl bound checks | expand

Message

Nicolas Bouchinet Feb. 24, 2025, 9:58 a.m. UTC

From: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>

Hi,

This patchset adds some bound checks to sysctls to avoid negative
value writes.

The patched sysctls were storing the result of the proc_dointvec
proc_handler into an unsigned int data. proc_dointvec being able to
parse negative value, and it return value being a signed int, this could
lead to undefined behaviors.
This has led to kernel crash in the past as described in commit
3b3376f222e3 ("sysctl.c: fix underflow value setting risk in vm_table")

They are now bounded between SYSCTL_ZERO and SYSCTL_INT_MAX.
The proc_handlers have thus been updated to proc_dointvec_minmax.

This patchset has been written over sysctl-testing branch [1].
See [2] for similar sysctl fixes currently in review.

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/sysctl/sysctl.git/log/?h=sysctl-testing
[2]: https://lore.kernel.org/all/20250115132211.25400-1-nicolas.bouchinet@clip-os.org/

Best regards,

Nicolas

---

Changes since v1:
https://lore.kernel.org/all/20250127142014.37834-1-nicolas.bouchinet@clip-os.org/

* Detached patches 1/9, 2/9 [3] and 3/9 [4]
* Adapted the cover-letter message to match the reduced patchset

[3]: https://lore.kernel.org/all/20250129170633.88574-1-nicolas.bouchinet@clip-os.org/
[4]: https://lore.kernel.org/all/20250128103821.29745-1-nicolas.bouchinet@clip-os.org/

---

Nicolas Bouchinet (6):
  sysctl: Fixes idmap_cache_timeout bounds
  sysctl: Fixes nsm_local_state bounds
  sysctl/coda: Fixes timeout bounds
  sysctl: Fixes scsi_logging_level bounds
  sysctl/infiniband: Fixes infiniband sysctl bounds
  sysctl: Fixes max-user-freq bounds

 drivers/char/hpet.c            | 4 +++-
 drivers/infiniband/core/iwcm.c | 4 +++-
 drivers/infiniband/core/ucma.c | 4 +++-
 drivers/scsi/scsi_sysctl.c     | 4 +++-
 fs/coda/sysctl.c               | 4 +++-
 fs/lockd/svc.c                 | 4 +++-
 fs/nfs/nfs4sysctl.c            | 4 +++-
 7 files changed, 21 insertions(+), 7 deletions(-)